[Samba] [4.0] Inter-realm trust
kumashiro.kaito at gmail.com
Mon Apr 8 04:37:48 MDT 2013
On Fri, Apr 5, 2013 at 3:05 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> > I know that inter-domain trust is not supported in Samba, but is it
> > possible to create an inter-realm trust on Kerberos level? I have a
> > kerberized service in realm X (Samba 4.0 as DC) and I want to allow users
> > from realm Y (also Samba 4.0, but different domain) to access it using
> > SPNEGO GSSAPI.
> > If it is possible, how can I accomplish this?
> You can try and set up such a trust with the windows tools. The pure
> kerberos level should work (because it is a natrual part of kerberos,
> which we didn't cripple, but instead did the small work to enable and
> the FreeIPA project added the RPC calls for), but not much else will.
Yes, I did use a Windows tool to create a two-way trust between Samba 4.0
servers, but since this feature is still in development, I don't know how
reliable it is. Our kerberized services are pretty critical.
If inter-realm trust (on Kerberos level) in Samba 4.0 is stable, then I'll
be more than happy to use it.
I tried setting up a simple Kerberos trust by creating cross-principals
(with some LDAP hacking), but that didn't work in Samba and worked only
partially when I used SPN instead of "regular" principal, so it's not
exactly a 1 to 1 transition. Something has changed in this regard or some
other mechanism is used for making a trust.
More information about the samba